Rails 1.1.5: Mandatory security patch (and more)
Posted by Michael Wed, 09 Aug 2006 20:26:00 GMT
“We’re still hard at work on Rails 1.2, which features all the new dandy REST stuff and more, but a serious security concern has come to our attention that needed to be addressed sooner than the release of 1.2 would allow. So here’s Rails 1.1.5!
This is a MANDATORY upgrade for anyone not running on a very recent edge (which isn’t affected by this). If you have a public Rails site, you MUST upgrade to Rails 1.1.5. The security issue is severe and you do not want to be caught unpatched. The issue is in fact of such a criticality that we’re not going to dig into the specifics. No need to arm would-be assalients. So upgrade today, not tomorrow. We’ve made sure that Rails 1.1.5 is fully drop-in compatible with 1.1.4. It only includes a handful of bug fixes and no new features.
For the third time: This is not like ‘sure, I should be flossing my teeth’. This is ‘yes, I will wear my helmet as I try to go 100mph on a motorcycle through downtown in rush hour’. It’s not a suggestion, it’s a prescription. So get to it!
As always, the trick is to do ‘gem install rails’ and then either changing config/environment.rb, if you’re bound to gems, or do ‘rake rails:freeze:gems’ if you’re freezing gems in vendor. UPDATE: This problem affects 0.13, 0.14, 1.0, and 1.1.x. So here’s a happy opportunity to upgrade if you still haven’t. P.S.: If you run a major Rails site and for some reason are completely unable to upgrade to 1.1.5, get in touch with the core team and we’ll try to work with you on a solution.
“(Via Riding Rails.)
